chore(evalboard): address npm Dependabot alerts#18
Merged
Conversation
Add an npm version-updates block to dependabot.yml so the Next.js frontend no longer drifts until a CVE fires. Bump the runtime deps that back the open alerts (next 15.5.20, plus postcss / uuid / fast-xml-builder / @babel/core via pnpm overrides). Lazy-load the Azure SDK behind optionalDependencies so local-mode readers never pull @azure/*. storage-blob is capped below 12.33.0 to stay on the project's node 20 baseline. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Claude finished @bai-uipath's task in 1m 22s —— View job Code Review in Progress
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

What
Clears the open npm Dependabot alerts on the evalboard frontend and stops them from piling up again. All 26 alerts came from this one Next.js app; the Python core has none.
Three parts:
Adds an npm version-updates block to
dependabot.yml(grouped, monthly) and batches the existing github-actions bumps into one grouped PR too. Until now nothing routinely refreshed the frontend, so it drifted until a CVE fired — this keeps next/React/Azure ahead of most advisories going forward, as a single low-noise PR per ecosystem.Patches the runtime alerts:
nextto 15.5.20, pluspostcss/uuid/fast-xml-builder/@babel/corepulled to their fixed versions.Lazy-loads the Azure SDK and moves
@azure/*tooptionalDependencies, so local-mode readers (and OSS users who skip optional installs) never pull it.@azure/storage-blobis capped below 12.33.0, which raised its floor to node 22, to stay on the project's node 20 baseline.Why
Public-repo hygiene on a repo we want to showcase. The frontend runs only as a localhost dev tool or a read-only, SSO-gated internal dashboard, so real exploit risk is low — but keeping the alert list clean and self-maintaining is worth doing.
Testing
Local build + tests:
pnpm run verify(typecheck + 324 unit tests +next build) passes on Node 20.Azure fetch (remote mode): exercised the app against Blob Storage — it lists and reads runs through the lazy-loaded Azure SDK via
DefaultAzureCredential, confirming the asyncgetContainer/ dynamic-import refactor still fetches from Azure as before.Deploy: reproduced the hosted deploy's exact install (
npm install --omit=devfrompackage.json, perdeploy.sh) and confirmed@azure/*(storage-blob 12.32.0) installs and resolves on the deploy's Node 22 — moving Azure tooptionalDependenciesdoes not break the hosted deploy.Related Dependabot settings (not code in this PR)
The dev-only alerts (~half of the list: vitest, vite, esbuild, ws, form-data) never ship — the
output: "standalone"build excludes dev deps. Rather than bump them, a repo Dependabot auto-triage rule ("Dismiss development-scoped npm alerts", indefinitely) now auto-dismisses dev-scoped npm alerts — clearing those (including the two "critical" vitest alerts) and keeping future dev-only alerts out of the queue.